沃尔夫网络 
2003-7-15 
|
4. VPN Route Distribution via BGP PE routers use BGP to distribute VPN routes to each other (more accuratel y, to cause VPN routes to be distributed to each other). We allow each VPN to have its own address space, which means that a given address may denote different systems in different VPNs. If two routes, to the same IP address prefix, are actually routes to different systems, it is important to ensure that BGP not treat them as comparable. Otherwise BGP mi ght choose to install only one of them, making the other system unreachable. Further, we must ensure that POLICY is used to determine which packets get sent on which routes; given that several such routes are installed by BGP, only one such must appear in any particular VRF. We meet these goals by the use of a new address family, as specified belo w. 4.1. The VPN-IPv4 Address Family The BGP Multiprotocol Extensions [BGP-MP] allow BGP to carry routes from multiple "address families". We introduce the notion of the "VPN-IPv4 addre ss family". A VPN-IPv4 address is a 12-byte quantity, beginning with an 8-b yte "Route Distinguisher (RD)" and ending with a 4-byte IPv4 address. If tw o VPNs use the same IPv4 address prefix, the PEs translate these into unique VPN-IPv4 address prefixes. This ensures that if the same address is used i n two different VPNs, it is possible to install two completely different rou tes to that address, one for each VPN. The RD does not by itself impose any semantics; it contains no informatio n about the origin of the route or about the set of VPNs to which the route is to be distributed. The purpose of the RD is solely to allow one to creat e distinct routes to a common IPv4 address prefix. Other means are used to determine where to redistribute the route (see section 4.3). RD不包含任何路由源信息或与该路由相关的VPN信息,RD的目的仅在于为一IPv4地址前缀 产生一唯一的路由。重新路由时使用其它方法 The RD can also be used to create multiple different routes to the very s ame system. In section 3, we gave an example where the route to a particula r server had to be different for intranet traffic than for extranet traffic. This can be achieved by creating two different VPN-IPv4 routes that have t he same IPv4 part, but different RDs. This allows BGP to install multiple di fferent routes to the same system, and allows policy to be used (see section 4.3.5) to decide which packets use which route. The RDs are structured so that every service provider can administer its own "numbering space" (i.e., can make its own assignments of RDs), without c onflicting with the RD assignments made by any other service provider. An R D consists of a two-byte type field, an administrator field, and an assigned number field. The value of the type field determines the lengths of the ot her two fields, as well as the semantics of the administrator field. The ad ministrator field identifies an assigned number authority, and the assigned number field contains a number which has been assigned, by the identified au thority, for a particular purpose. For example, one could have an RD whose administrator field contains an Autonomous System number (ASN), and whose (4 -byte) number field contains a number assigned by the SP to whom that ASN be longs (having been assigned to that SP by the appropriate authority). RDs are given this structure in order to ensure that an SP which provides VPN backbone service can always create a unique RD when it needs to do so. However, the structuring provides no semantics. When BGP compares two such a ddress prefixes, it ignores the structure entirely. Note that VPN-IPv4 addresses and IPv4 addresses are always considered by BGP to be incomparable. A VRF may have multiple VPN-IPv4 routes for a single IPv4 address prefix. When a packet's destination address is matched against a VPN-IPv4 route, o nly the IPv4 part is actually matched. A PE needs to be configured such that routes which lead to particular CE become associated with a particular RD. The configuration may cause all rou tes leading to the same CE to be associated with the same RD, or it may be c ause different routes to be associated with different RDs, even if they lead to the same CE. PE应当对通向一CE的所有路由使用同一RD。 4.2. Encoding of Route Distinguishers As stated, a VPN-IPv4 address consists of an 8-byte Route Distinguisher f ollowed by a 4-byte IPv4 address. The RDs are encoded as follows: - Type Field: 2 bytes - value Field: 6 bytes The interpretation of the value field depends on the value of the Type fi eld. At the present time, two values of the type field are defined: 0 and 1. - Type 0: The value field consists of two subfields: * Administrator subfield: 2 bytes * Assigned Number subfield: 4 bytes The Administrator subfield must contain an Autonomous System number. If this ASN is from the public ASN space, it must have been assigned by the appropriate authority (use of ASN values from the private ASN space is stron gly discouraged). The Assigned Number subfield contains a number from a num bering space which is administered by the enterprise to which the ASN has be en assigned by an appropriate authority. - Type 1: The value field consists of two subfields: * Administrator subfield: 4 bytes * Assigned Number subfield: 2 bytes The Administrator subfield must contain an IP address. If this IP add ress is from the public IP address space, it must have been assigned by an a ppropriate authority (use of addresses from the private IP address space is strongly discouraged). The Assigned Number sub-field contains a number from a numbering space which is administered by the enterprise to which the IP ad dress has been assigned. 4.3. Controlling Route Distribution In this section, we discuss the way in which the distribution of the VPN- IPv4 routes is controlled. 4.3.1. The Route Target Attribute路由目标属性 Every VRF is associated with one or more "Route Target" attributes. When a VPN-IPv4 route is created by a PE router, it is associated with on e or more "Route Target" attributes. These are carried in BGP as attributes of the route. Any route associated with Route Target T must be distributed to every PE router that has a VRF associated with Route Target T. When such a route is received by a PE router, it is eligible to be installed those of the PE's VR Fs which are associated with Route Target T. (Whether it actually gets insta lled depends on the outcome of the BGP decision process.) A Route Target attribute can be thought of as identifying a set of sites. (Though it would be more precise to think of it as identifying a set of VR Fs.) Associating a particular Route Target attribute with a route allows th at route to be placed in the VRFs that are used for routing traffic which is received from the corresponding sites. There is a set of Route Targets that a PE router attaches to a route rece ived from site S; these may be called the "Export Targets". And there is a s et of Route Targets that a PE router uses to determine whether a route recei ved from another PE router could be placed in the VRF associated with site S< | |
 相关文章 |
热门文章 |
|
| 个人观点:Cisco认证和Juniper认证的比较 JNCIE考试心得 路由器启动进程及初始配置 Olive完整介绍--权威版 Install IPSO on PC Juniper提升路由器服务功能 RFC2547 BGP/MPLS VPN RFC 2547bis (1) RFC 2547bis (3) RFC 2547bis (4) |
| 文章评论 | |||